NHS Digital Post Audit Review: UK Biobank Limited
This report provides the formal closure of the remote data sharing audit of UK Biobank Limited in July 2021
Audit summary
This report provides the formal closure of the remote data sharing audit of UK Biobank Limited (UKB) between 19 and 23 July 2021. It provides an evaluation of how UKB conforms to the requirements of both:
- the data sharing framework contract (DSFC) CON-309882-D1H7D-v2.01
- the data sharing agreement (DSA) DARS-NIC-08472-V9S6K-v12.2
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Critical Care | Identifiable, Non-Sensitive | 2008/09 – 2020/21_M12 |
| National Diabetes Audit | Identifiable, Sensitive | 2003/04 – 2017/18 |
| Emergency Care Data Set (ECDS) | Identifiable, Sensitive | October 2017 to 2020/21_M12 |
| Mental Health Minimum Data Set | Identifiable, Sensitive | 2006/07 – 2014/15 |
| Mental Health and Learning Disabilities Data Set |
Identifiable, Sensitive | 2014/15 – 2015/16 |
| Improving Access to Psychological Therapies Data Set | Identifiable, Sensitive | 2012/13 – 2018/19 |
| Medical Research Information Service (MRIS) – Members and Postings Report | Identifiable, Sensitive | 2011/12 to March 2020 |
| HES Admitted Patient Care | Identifiable, Sensitive | 1997/98 - 2020/21_M12 |
| HES Outpatients | Identifiable, Sensitive | 2003/04 - 2020/21_M12 |
| HES Accident and Emergency | Identifiable, Sensitive | 2007/08 - 2019/20_M12 |
| Diagnostic Imaging Dataset | Identifiable, Sensitive | 2012/13 – 2017/18 |
| MRIS - Cause of Death Report | Identifiable, Sensitive | 2011/12 to March 2020 |
| Mental Health Services Data Set | Identifiable, Sensitive | 2016/17 – 2017/18 |
| MRIS – Cohort Event Notification Report | Identifiable, Sensitive | 2011/12 to March 2020 |
| MRIS - List Cleaning Report | Identifiable, Sensitive | 2011/12 to March 2020 |
| GPES Data for Pandemic Planning and Research (COVID-19) | Identifiable, Sensitive | Latest available |
| Demographics | Identifiable, Sensitive | Latest available |
| Civil Registration - Deaths | Identifiable, Sensitive | Latest available |
| Cancer Registration Data | Identifiable, Sensitive | Latest available |
| Bridge file: HES to Diagnostic Imaging Dataset | Identifiable, Non-Sensitive | |
| Bridge file: HES to Mental Health Minimum Data Set | Identifiable, Non-Sensitive |
The Controller is UKB and the Processor is the Nuffield Department of Population Health (NDPH) at the University of Oxford.
Further guidance on the terms used in this post audit review report can be found in version 1 of the NHS Digital Data Sharing Remote Audit Guide.
Post audit review
This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by UKB between February and June 2022, including a Microsoft Teams call in June 2022.
Post audit review outcome
Based on the evidence provided by UKB, the Audit Team has closed the nonconformities. Although no further action is required by the Audit Team, there are 3 opportunities for improvement still open, and UKB should complete the actions against these findings.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original risk statement: Low
Current risk statement: Low
Data recipient’s acceptance statement
UKB has reviewed this report and confirmed that it is accurate.
Status
The following tables identify the 1 agreement nonconformity, 2 organisation nonconformities and 8 opportunities for improvement raised as part of the original audit.
UKB
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | UKB should add appropriate document management information to its Data Protection Impact Assessment (DPIA). | Operational Management | UKB has introduced a new system to manage documents such as the DPIA. This system is used to record the document management information rather than the document itself. | Opportunity for improvement | Closed |
| 2 | UKB should consider what specialist training is provided to new staff employed in named positions, for example, Senior Information Risk Owner (SIRO), Data Protection Officer (DPO) and Information Asset Owner (IAO). | Operational Management |
UKB is currently implementing a new training platform. This new platform will provide a single location for staff training and awareness courses. The training platform was demonstrated to the Audit Team during a Microsoft Teams call in June 2022. UKB has also completed a review of current training requirements for senior roles which will be taken into consideration when designing the new training and awareness programme. |
Opportunity for improvement | Open, but not for follow-up |
| 3 | UKB should review the wording on its annual project report to ensure that the customer is confirming compliance to both the original Material Transfer Agreement and any subsequent UKB requirements. UKB should also consider whether it needs to audit companies to confirm adherence to the requirements. | Operational Management |
UKB has amended its Applicant Annual Project Report template and its Collaborator Annual Conformation template. Copies of the revised forms were supplied to the Audit Team. UKB has added the objective ‘Introduce a process for second or third party auditing of research institutes and suppliers that handle UKB data’ to its overall Information Security Management System Objectives with a target date of Quarter 3 2022. |
Opportunity for improvement | Open, but not for follow-up |
NDPH
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 4 | There was insufficient evidence to show that access and privileges for the folders holding data supplied by NHS Digital are reviewed by NDPH on a regular basis. | Access Control | Standing Operating Procedures (SOPs) have been created for:
|
Agreement nonconformity | Closed |
| 5 | NDPH to ensure the information it receives from its third-party disposal company provides a more definitive and accurate statement of what was destroyed, in line with its Data Disposal Policy, and this list is then reconciled with its own records. | Data Destruction | NDPH provided destruction records, received from the third-party disposal company, along with copies of asset reports confirming reconciliation against its own records. This evidence was an improvement from that witnessed during the audit. | Organisation nonconformity | Closed |
| 6 | The level of encryption applied to the laptop used to manage the download of data from NHS Digital through the Secure Electronic File Transfer (SEFT) download portal was not in line with NDPH policy. | Access Control | NDPH provided evidence that the correct level of encryption has been applied to the laptop. | Organisation nonconformity | Closed |
| 7 | NDPH should revise some of the statements in its documentation to reflect folders in its storage environment are backed up, though only within the same environment. | Operational Management | NDPH provided the Audit Team with its latest back-up procedure which recognised recent changes to the process and the technology. During a MS Teams call in June 2022 the updated IG Handbook (dated 28 April 2022) was presented to the Audit Team. |
Opportunity for improvement |
Closed |
| 8 | NDPH should review its process for communicating the publication of new policies to all staff. | Operational Management |
NDPH provided a copy of its latest Information Governance Officer SOP (v1.0, dated 1 March 2022) which now includes the communication of policies to staff. During a MS Teams call in June 2022, NDPH confirmed all staff had been sent an email with the updated IG Handbook and a link to the intranet site. |
Opportunity for improvement |
Closed |
| 9 |
NDPH should contact the SEFT team to establish whether data can be downloaded to a named location so that the number of touchpoints for the data can be reduced. |
Information Transfer | NDPH has enabled a setting which allows the user to specify a download folder. For future downloads, NDPH will download directly to the server, thereby removing one of the touchpoints. |
Opportunity for improvement |
Closed |
| 10 | In evolving the new wiki page regarding the destruction of data, NDPH should ensure that the instructions are fully compliant with its Data Destruction Policy. | Data Destruction | NDPH provided evidence to confirm the revised wiki page is compliant with the Data Destruction Policy. |
Opportunity for improvement |
Closed |
| 11 | NDPH should include the UKB project in its future internal audit programme. This audit should be conducted against the internal audit processes as outlined in the NDPH information governance and security procedures. | Operational Management | NDPH has scheduled an audit of the UKB project for summer 2022. The Audit Team was provided with a copy of the Internal Audit Schedule 2022. |
Opportunity for improvement |
Open, but not for follow-up |
Disclaimer
NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 19 August 2022 12:48 pm